**Adobe Patches Two Critical AEM Flaws Enabling Code Execution and File Access Without User Interaction**
Adobe has recently addressed two critical security vulnerabilities in its Experience Manager (AEM) product, including one with maximum severity that allows malicious actors to execute arbitrary code remotely. While Adobe stated it is “not aware” of active exploitation in the wild, proof-of-concept (PoC) exploits have been observed.
In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities—tracked as CVE-2025-54253 and CVE-2025-54254—to its Known Exploited Vulnerabilities (KEV) catalog, confirming reports of abuse in real-world attacks.
### About Adobe Experience Manager (AEM)
Adobe Experience Manager is an enterprise-level content management system (CMS) used by large organizations to build, manage, and deliver personalized digital content across websites, mobile apps, and other channels. It plays a critical role in creating and organizing digital experiences.
### Details of the Vulnerabilities
– **CVE-2025-54253**
This vulnerability is described as a “misconfiguration vulnerability” that can be exploited to bypass security mechanisms. It carries a critical severity score of 10/10, representing a maximum risk level.
– **CVE-2025-54254**
This issue involves an “improper restriction of XML External Entity (XXE) Reference,” which allows attackers to read arbitrary files from the file system without any user interaction. It has been rated with a high severity score of 8.6/10.
Both vulnerabilities affect Adobe Experience Manager versions 6.5.23 and earlier.
### Patch and Mitigation
Adobe released a patch for these vulnerabilities in August 2025, updating the product to version 6.5.0-0108. All organizations using affected versions are strongly urged to apply this patch immediately to mitigate risks.
### CISA’s Action and Deadlines
On October 15, 2025, CISA officially added both CVEs to its KEV catalog. This action mandates that all Federal Civilian Executive Branch (FCEB) agencies must apply available fixes or mitigations—or discontinue use of the vulnerable software—within three weeks of the listing. For these AEM vulnerabilities, the deadline to patch is November 5, 2025.
Although this deadline applies specifically to FCEB agencies, private sector organizations and other government entities should follow suit. Cybercriminals do not discriminate between sectors; any vulnerable system is a potential target.
—
**Stay Updated**
Keep your systems secure by applying these critical patches promptly. For regular cybersecurity news, reviews, and updates, make sure to follow TechRadar on TikTok and subscribe to our WhatsApp updates.
*You might also like:*
[Links to related articles and resources, if applicable]
https://www.techradar.com/pro/security/this-adobe-aem-flaw-is-as-dangerous-as-they-come-and-its-already-being-exploited
